HashiCorp Vault Container Plugin

The HashiCorp Vault container plugin allows you to manage secrets and protect sensitive data in your Release infrastructure.

important

You must set up a connection to the HashiCorp Vault server before adding HashiCorp Vault task. For more information, see Set up Connection to HashiCorp Vault Server.

note

In the release flow editor, Container tasks have a blue border.

HashiCorp Vault provides the following features:

• Create/Update Secret (Container)
• Read Secret (Container)
• Delete Secret (Container)

Prerequisites

For HashiCorp Vault integration, you need the following:

• HashiCorp Vault server running and accessible via HTTP(s)
• Remote runner setup to run the container tasks

Set up Connection to HashiCorp Vault Server

1. From the navigation pane, under CONFIGURATION, click Connections.
2. Under Secrets Management, next to Vault Server (Container), click . The New Vault Server (Container) page opens.
3. In the Title field, enter the name of the HashiCorp Vault server. This name will display in HashiCorp Vault tasks.
4. In the URL field, enter the URL of the HashiCorp Vault server.
5. In the Authentication Method field, select your relevant authentication type from the drop-down list.

• PAT
• Basic
• AppRole
• LDAP

6. For Basic and LDAP, you can enter Username and Password.
7. For AppRole, you can enter RoleId and SecretId.
8. For PAT, you can enter the Api Token.
9. To test the connection, click Test.
10. To save the configuration, click Save.

Create/Update Secret (Container)

The Create/Update Secret (Container) task is used to create or update secret within the vault.

1. In the release flow tab of a Release template, add a task of type Vault > Create/Update Secret (Container).
2. Click the added task to open it.
3. In the Capabilities field, enter a value that matches the capability set for your remote runner. This will help you to route jobs to that particular remote runner.
4. In the Server field, select the HashiCorp Vault server where Release connects.
5. In the Mount Point field, enter the mount point path for the secrets engine.
6. In the Version field, select the version of the secret that you want to create or update.
7. In the Path field, enter the path of the secret that you want to create or update.
8. In the Key field, enter the key of the secret that you want to create or update.
9. In the Value field, enter the value of the secret that you want to create or update.

Read Secret (Container)

The Read Secret (Container) task is used to read secrets within the vault.

1. In the release flow tab of a Release template, add a task of type Vault > Read Secret (Container).
2. Click the added task to open it.
3. In the Capabilities field, enter a value that matches the capability set for your remote runner. This will help you to route jobs to that particular remote runner.
4. In the Server field, select the HashiCorp Vault server where Release connects.
5. In the Mount Point field, enter the mount point path for the secrets engine.
6. In the Version field, select the version of the secret that you want to read.
7. In the Path field, enter the path of the secret that you want to read.
8. In the Key field, enter the key of the secret that you want to read.

Delete Secret (Container)

The Delete Secret (Container) task is used to delete secrets within the vault.

1. In the release flow tab of a Release template, add a task of type Vault > Delete Secret (Container).
2. Click the added task to open it.
3. In the Capabilities field, enter a value that matches the capability set for your remote runner. This will help you to route jobs to that particular remote runner.
4. In the Server field, select the HashiCorp Vault server where Release connects.
5. In the Mount Point field, enter the mount point path for the secrets engine.
6. In the Version field, select the version of the secret that you want to delete.
7. In the Path field, enter the path of the secret that you want to delete.